Zero Trust Access to cPFence WebUI Using Cloudflare Tunnel and OTP

cPFence

Important Note: Starting from version 3.3.85, cPFence WebUI now supports Auto SSL and automatically whitelists IPs when you log in via SSH. We recommend using direct WebUI access instead of Cloudflare tunnels to avoid timeout issues and limitations. Cloudflare Zero Trust has a 100-second timeout limit. If any cPFence WebUI operation takes too long (such as bulk actions across servers), you ma…

This content is hidden. Log in to view the full discussion.

webdig

I followed this guide strictly and everything is working perfectly — Cloudflare Tunnel access, OTP authentication, and a secure CPfence interface.

Now I’d like to further strengthen security and have a specific question:

How can I completely block public access to the direct WebUI URL (e.g. http://panel.myenhanceurl.tld:9095), ensuring that only the Cloudflare Tunnel is used for access?

The goal is to make sure port 9095 is not reachable publicly, even if someone tries to access it directly via domain or IP.

Additionally, is it possible to apply the same logic to:

LiteSpeed WebAdmin Console (port 7080)
Rspamd Web UI

In other words, restricting access so that only internal/private network ranges (e.g. 10.0.0.0/8) or the Cloudflare Tunnel can reach those interfaces — blocking everything else from the public internet.

I’ve also raised this topic on the Enhance community regarding a related concern:
"Separate admin access path for better compatibility and stronger security" - https://community.enhance.com/d/2907-separate-admin-access-path-for-better-compatibility-and-stronger-security

Thanks in advance for any advice or guidance!

cPFence

webdig

cPFence keeps port 9095 closed by default. Only Cloudflare’s network can access it now, and all access is filtered through your defined policy rules. So if you followed the guide, only users from your allowed country using your email for OTP will get in , everything else is blocked. If you want to see what others see, you can try https://geopeeker.com/ to check from multiple global locations.

You can apply the same setup to LiteSpeed WebAdmin Console (port 7080) and Rspamd Web UI to achieve similar restrictions.

mrEckendonk

The setup is really nice, we use ZeroTrust a lot and even protect WordPress sites with it.

Downside of putting the cpfence-ui or any other on a cloudflared is that the CNAME will be overwritten if the Enhance has the cloudflare API and an change is made in the Domain (DNS);

To prevent this, you should copy the CNAME of you tunnel in the Enhance Domain DNS records,

webdig

You can add them to the same /etc/cloudflared/config.yml file

ingress:
  - hostname: cpfence.your-domain.com
    service: http://localhost:9095
  - hostname: rspamd.your-domain.com
    service: http://localhost:11334
  - service: http_status:404

Just add hostname and the service(s) to the ingress you want to use and rebuild the tunnel.

webdig

I'd just like to add an important note that may help other users:

Before following this tutorial, I was able to access the cPFence WebUI (port 9095) both via the server’s IP and through the Enhance panel address with port 9095.

After completing all the steps in the tutorial — including setting up the Cloudflare Tunnel, enabling OTP authentication, and applying the Zero Trust access policy — access via the protected subdomain worked perfectly.

However, direct public access to port 9095 remained possible, meaning that anyone who knew the IP and port could still access the WebUI without going through the tunnel.

I was only able to fully block this external access after explicitly running:

sudo ufw deny in 9095

that is, configuring the server firewall to deny public access to the port.

It might be helpful to include this step in the tutorial, to ensure the WebUI is truly inaccessible from the public internet and can only be reached through the Cloudflare Tunnel + Zero Trust.

cPFence

webdig

This shouldn’t happen , port 9095 is closed by default. Make sure all steps were followed correctly, and double-check if your IP is whitelisted for port 9095.

You can run:
ufw status numbered | grep 9095
to check for any existing allow rules.

xyzulu

@webdig your own IP is probably white listed in the firewall, which might be why the port appears to be open. You should know how to check this in UFW.

cPFence

Important Note:
Cloudflare Zero Trust has a 100-second timeout limit. If any cPFence WebUI operation takes too long (such as bulk actions across servers),
you may see a 524: A timeout occurred error. This is a Cloudflare limitation, not a cPFence issue.
Learn more here.
To avoid this, access the WebUI directly at: http://your-server-ip:9095 when performing long tasks.

cPFence

cPFence Important Note:
Cloudflare Zero Trust has a 100-second timeout limit. If any cPFence WebUI operation takes too long (such as bulk actions across servers),
you may see a 524: A timeout occurred error. This is a Cloudflare limitation, not a cPFence issue.
Learn more here.
To avoid this, access the WebUI directly at: http://your-server-ip:9095 when performing long tasks.

In the latest version of cPFence, we’ve managed to bypass this limitation for most tasks. Enjoy!

koboh

Am I right in thinking that the same process would work for OLS Admin/Dashboard?

Would there likely be any additional steps to make it work? I have looked over forums here and on Enhance and I couldn't see anyone asking about this.

cPFence

koboh

Yes, you can expose as many panels as you like through a single Cloudflare Tunnel, you just need to add one ingress rule per panel in your config.yml and follow the same steps.

koboh

cPFence I Have tried but not had any luck, so I think I need to review the settings. I must have something wrong. I think it might be down to the OLS web admin port being blocked. Not sure how to expose it internally only.

SvenK

Am I correct in understanding that this only works if the DNS for the domain of the Enhance-Admin-Server is managed through Cloudfair?

cPFence

SvenK

No, you can use any domain you control on Cloudflare for the tunnel, for example, cpf.myotherdomain.com.

cPFence

koboh

Try this

# Edit your ingress
nano /etc/cloudflared/config.yml
  
ingress:
  - hostname: olsadmin.example.com
    service: https://127.0.0.1:7080
    originRequest:
      noTLSVerify: true

  - hostname: your-subdomain.example.com
    service: http://localhost:9095
  - service: http_status:404
   
# Add the new dns record 
cloudflared tunnel route dns cpfence-webui olsadmin.example.com

# Restart to apply   
sudo systemctl restart cloudflared

koboh

Awesome, that worked, thank you.

I was using localhost and adding the noTLSVerify helped too.

The only change I made was, I added:

- service: http_status:404

I added this because when I validated the config.yml, I was getting the below error:

The last ingress rule must match all URLs (i.e. it should not have a hostname or path filter)

Adding the http_status at the end, cleared that error.

Oldschool

I'm getting a 403 error after logging in to the tunnel and after logging into the cpfence webui saying the IP is not whitelisted after setting up the tunnel.

Is it wanting me to whitelist cloudflare tunnel IPs?

cPFence

Oldschool

No, you don’t need to whitelist Cloudflare tunnel IPs. If set up right, the WebUI only sees localhost. Just be sure to follow all steps then verify using:

dig +short your-subdomain.example.com  # should return Cloudflare ips, not your server IP
cloudflared tunnel info cpfence-webui  # should show healthy with "origin ip" as your server IP.
curl -s -o /dev/null -w "%{http_code}\n" http://localhost:9095   # should return 200

Oldschool

cPFence
dig shows 2 cloudflare IPs
info shows the tunnel
curl gives 200

I've restarted the webui, the tunnel is working, prompts me for email and gives me the code and then forwards me to the cpfence webui but when I put in the credentials it refreshes to the /webui page and says:
403 Forbidden

Your IP is not whitelisted to access this service.

cPFence

Oldschool

Make sure these files have the correct entries:

cat /opt/cpfence/webui/allowed_ips.txt
127.0.0.1
::1

cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback

If anything’s missing, fix it and then restart the WebUI:

cpfence --restart-webui

Oldschool

cPFence

::1 wasn't in the allowed_ips.txt
That fixed it, thank you!